On Mon, Feb 14, 2005 at 09:25:43AM -0800, Scott Becker wrote: > Does anybody know which mailing list addresses security issues? fedora-list is best for this in general. But there is a "-devel" issue here..... > Logwatch on my server reported this: > apache logged in from dsl-82-199-133-138.dutchdsl.nl (82.199.133.138) using > password: 1 Time(s) > My apache account is active so I can su to it to administer postgresql > databases accessable via php scripts. No password is set. It was my > understanding that it would be impossible to log in except via su from > root. Either I'm dead wrong or there's a security hole which needs fixed. I think the problem here is that you're dead wrong. If no password is set and the account isn't locked, anyone can log in. Make sure the account is locked. For this reason, I apply the following patch to authconfig, to make the default configuration disallow logins with null passwords. I think it'd be a good idea to make this be the default, in fact. People who really want empty passwords should have to do this to themselves. --- ../authconfig-4.1.6.orig/authinfo.c Wed Aug 29 14:26:40 2001 +++ ./authinfo.c Wed Aug 29 14:29:46 2001 @@ -2061,9 +2061,7 @@ static const char *argv_unix_auth[] = { "likeauth", - "nullok", NULL, }; static const char *argv_unix_password[] = { - "nullok", "use_authtok", NULL, -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> --> Fedora Users & Developers Conference, hosted by Boston University <-- February 18th, 2005 <http://fedoraproject.org/fudcon/>